Shearman & Sterling LLP | FinReg | European Banking Authority Provides Additional Opinion on Strong Customer Authentication Requirements for Account Servicing Payment Service Providers
Financial Regulatory Developments Focus
This links to the home page
Blog
FILTERS
  • European Banking Authority Provides Additional Opinion on Strong Customer Authentication Requirements for Account Servicing Payment Service Providers
    06/04/2020
    The European Banking Authority has published an Opinion on the obstacles to the provision by third-party service providers of account information and payment initiation services under the revised Payment Services Directive. PSD2 and the related Regulatory Technical Standards on strong customer authentication and common and secure communication require account servicing payment service providers to establish access interfaces through which third-party service providers can securely access a customers’ payment accounts. Where the ASPSP provides a dedicated interface (as opposed to a modified customer interface), the SCA RTS require it to ensure that there are no obstacles to the provision of services by third-party service providers. The EBA has published the Opinion in response to queries from market participants on issues arising in this area.

    In the Opinion, the EBA clarifies that mandatory redirection is an obstacle if it creates "unnecessary friction" in a customer's experience when using a third-party provider's services or if the authentication process with the ASPSP is more arduous than if a customer accesses their payment accounts directly. The EBA also reaffirms the position stated in the Opinion published in June 2018 that mandatory redirection itself is not an obstacle. Market participants are directed to the EBA's guidelines on SCA, which also cover this issue.

    The EBA's latest Opinion also addresses the following issues:
     
    1. authentication procedures that ASPSPs’ interfaces are required to support;
    2. mandatory redirection at the point-of-sale;
    3. multiple SCAs;
    4. 90-days re-authentication; 
    5. account selection;
    6. additional checks on consent; and
    7. additional registrations.

    The EBA expects national EU regulators to monitor compliance of ASPSPs, in particular the redirection interfaces, and to take the guidance in the EBA's opinions and guidelines into account when doing so. The EBA intends to monitor for inconsistency of implementation of the requirements and will take further steps, if necessary.

    View the EBA's Opinion.

    View details of the EBA's June 2018 Opinion.

    View details of the EBA's guidelines.

    View details of the SCA RTS.

    Return to main website.